b'\x0cBecause this report contains proprietary information and addresses issues associated\nwith physical security, we do not intend to release the specific findings to the public.\n\n\n             RESTRICTED DISTRIBUTION \xe2\x80\x93 FOR OFFICIAL USE ONLY\n\x0cThis Page Intentionally Left Blank\n\x0cCONTENTS\n\n\nSection                                                         Page\n\n\n\n   ACRONYMS AND ABBREVIATIONS                                    ii\n\n   PREFACE                                                       1\n\n\n   EXECUTIVE SUMMARY                                             2\n\n\n   BACKGROUND                                                    3\n\n\n   OBJECTIVES, SCOPE AND METHODOLOGY                             6\n\n\n   RESULTS IN DETAIL                                             7\n        A. Facility Risk Assessment                              7\n          B. Physical Security                                   10\n              a. Security Operations and Administration Needs\n                                                                 10\n                 Improvement\n              b. Facility Entrance Security                      15\n              c. Security Systems                                19\n              d. Site and Interior Security                      21\n\n          C. Conclusion                                          22\n\n   APPENDICES\n\n          A.                                                     24\n\n          B. Management Response                                 25\n\n\n\n\n                                                                       i\n\x0cACRONYMS AND ABBREVIATIONS\n\nCCTV              Closed Circuit Television\nCOOP              Continuity of Operations\nDHS               Department of Homeland Security\nDO                Designated Official\nDOJ               Department of Justice\nFCA               Farm Credit Administration\nFDIC              Federal Deposit Insurance Corporation\nFederal Reserve   Board of Governors of the Federal Reserve System\nFOUO              For Official Use Only\nFPS               Federal Protective Service\nFSC               Facility Security Committee\nFSL               Facility Security Level\nID                Identification\nIDS               Intrusion Detection System\nISC               Interagency Security Committee\nNCUA              National Credit Union Administration\nOIG               Office of Inspector General\nPSI               Protection Strategies Incorporation\nSBA               Small Business Administration\nSEC               Security and Exchange Commission\nSSP               Senior Staff Position\n\n\n\n\n                                                                     ii\n\x0cBuilding Security Review at NCUA\xe2\x80\x98s Central Office and Region II\nOIG-11-XX\n\n\nPreface\n\nProtecting Federal employees and the public who visit U.S. government owned- or\nleased-facilities is a complex and challenging responsibility. From the terrorist\nattacks of September 11, 2001, and the subsequent Brentwood Postal Facility\nanthrax case that same year, to the more recent hostage situation at the Discovery\nChannel building in Silver Spring, Maryland, as well as the recent incidents involving\nthe ignition of incendiary devices in packages that were mailed to two state office\nbuildings in Maryland, the need to provide heightened protection for Federal facilities\nand those who occupy and visit them has never been more critical. In light of these\nmore recent attacks, the NCUA Board rightfully requested the Office of Inspector\nGeneral (OIG) move up its timetable for performing its 2011 planned review of\nbuilding security measures at the NCUA\xe2\x80\x98s Central Office and Region II facility.\n\nIn the broad and constantly evolving area of security and, in particular, physical\nsecurity at Federal facilities, we in the OIG do not hold ourselves out as experts in\nthe field. However, we approached this review in the same objective manner we\nconduct all of our reviews and believe we have developed a report that will not only\nhelp the NCUA Board and management make decisions today that will help close\nthe gap on several security vulnerabilities we detected, but will also provide a\nroadmap to plan for vulnerabilities that the agency might face in the future.\n\nThis report outlines current Federal guidance and NCUA\xe2\x80\x98s adherence to this\nguidance, provides the OIG\xe2\x80\x98s assessment of NCUA\xe2\x80\x98s current physical security\nmeasures in place, and makes three recommendations the OIG believes are crucial\nto helping ensure NCUA\xe2\x80\x98s facility and its occupants continue to remain safe.\n\n\n\n\n                                                                  For Official Use Only   1\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\nExecutive Summary\n\nThe National Credit Union Administration (NCUA) Office of Inspector General (OIG)\nconducted a review of facility security at NCUA\xe2\x80\x98s Central Office. We reviewed\nfacility security to: (1) assess the adequacy of physical building security measures at\nNCUA\xe2\x80\x98s Central Office. Within this objective, we placed a particular emphasis upon\nreviewing building security access and controls, specifically related to: (a) security\noperations and administration;(b) facility entrance security; (c) security systems, and\n(d) site and interior security. To achieve these objectives, we interviewed\nmanagement and staff in NCUA\xe2\x80\x98s Division of Procurement and Facilities\nManagement (DPFM); conducted physical observations of current building security\ncontrols and operations; reviewed NCUA policies and procedures related to building\nsecurity; benchmarked with five Federal agencies, and obtained and reviewed\nDepartment of Homeland Security\xe2\x80\x98s (DHS) security facility risk assessment\nstandards.\n\n\n\n\n                                               As a result, we are making three\nrecommendations to correct these deficiencies. Management agreed with our first\nrecommendation and agreed with all but one aspect of our second recommendation.\nHowever, management disagreed with our third recommendation. The OIG\nconsiders all three recommendations as resolved.\n\n\n\n\nWe appreciate the cooperation and courtesies NCUA management and staff\nprovided to us during this review.\n\n\n\n\n                                                              For Official Use Only   2\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\nBackground\n\nIn 1993, the NCUA purchased the building located at 1775 Duke Street in\nAlexandria, Virginia as office space for its Central Office and Region II staff.\nCurrently, the NCUA has approximately 250 employees working in this office\nlocation. The NCUA office building (facility) is part of a larger office complex which\nincludes three other office buildings and a hotel, as well as a shared underground\nparking garage. The facility has seven floors and approximately 167,000 square feet\nof usable space. There are four tenants within the facility. NCUA is the primary\nbuilding tenant occupying most of the first floor and all of floors 2 through 7. The\nother three tenants--an investment firm, an education center and a retail shop--\noccupy space on the first floor with each having separate entrances for pedestrian\ntraffic. Neither of these tenants has space directly connected to or accessible to\nNCUA occupied space.\n\nThe facility is located in an overall commercial section of Alexandria, primarily\npopulated with office buildings and some retail establishments. Nearby is a major\nrail station, a Federal courthouse, and the U.S. Patent and Trademark Office\ncomplex.\n\nPhysical Security Guidance\n\nFederal, as well as NCUA\xe2\x80\x98s, physical security standards have evolved over time. In\n1995, the U.S. Department of Justice (DOJ) established the first set of Government-\nwide physical security standards for Federal facilities. After the Oklahoma City\nbombing of the Alfred Murrah Federal Building in 1995, the President ordered a\nvulnerability assessment of all Federal facilities to terrorism or violence. The DOJ\nissued a Vulnerability Report, which developed minimum physical security standards\nfor civilian federally owned or leased facilities.\n\nIn January 1996, the NCUA issued Instruction No. 1063 to establish security\nprocessing procedures for employees and contractors in the Central Office. In\nDecember 1996, NCUA management rescinded Instruction No. 1063 and issued\nInstruction 1063.1, which established agency procedures on building access control\nfor the facility. The revised instruction essentially implemented a security program\nutilizing identification (ID) badges for all employees as well as detailed instructions\nfor visitors.\n\n\n\n\n                                                              For Official Use Only   3\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\n                                                                     r\n\n\n\n\n1\n\n\n2\n3\n\n\n\n\n                                                    For Official Use Only   4\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\nPhysical Security Assessment\n\nAlthough the Department of Homeland Security\xe2\x80\x98s Federal Protective Service (FPS)\nperforms building security reviews as part of its mission, we determined FPS only\nperforms these services for GSA owned and/or leased properties and does not\nventure beyond those parameters. Accordingly, NCUA contracted with Protection\nStrategies Incorporated (PSI), a private security support firm,4 for a physical security\nassessment of the NCUA facility. In October 2010, PSI completed its assessment of\nNCUA\xe2\x80\x98s physical security program and issued its report to the NCUA. PSI assessed\nthe NCUA facility in seven major categories,\n\n\n\n\nDespite PSI\xe2\x80\x98s rather comprehensive review of NCUA\xe2\x80\x98s physical security measures\ncurrently in place, as well as its recommendations to correct the identified\ndeficiencies, we believe the review stopped short in addressing one very basic and\nimportant, physical security concern \xe2\x80\x93\n\n\nThe OIG\xe2\x80\x98s 2011 Annual Audit Plan included a review of security measures at the\nNCUA\xe2\x80\x98s Central Office and Region II facility. The NCUA Board, upon review of the\nOIG\xe2\x80\x98s Annual Audit Plan, requested that the OIG accelerate the timetable for this\nreview and asked that it be conducted immediately.\n\n\n\n\n4\n According to PSI\xe2\x80\x98s website, PSI provides security support services to many agencies within the Federal\nGovernment as well as private corporations nationwide and overseas.\n\n\n                                                                               For Official Use Only      5\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\nObjectives, Scope, and Methodology\n\nThe objective of our review was to assess the adequacy of physical building security\nmeasures at NCUA\xe2\x80\x98s Central Office.\n\n\n\n\nThe scope of our review covered building security measures in place at NCUA\xe2\x80\x98s\nCentral Office and Region II facility located at 1775 Duke Street in Alexandria,\nVirginia during the period from December 2010 to June 2011.\n\nTo accomplish our objective we:\n\n    \xef\x82\xb7   Interviewed management and staff in NCUA\xe2\x80\x98s Department of Procurement\n        and Facilities Management (DPFM), a component division of the NCUA Office\n        of the Chief Financial Officer;\n    \xef\x82\xb7   Conducted physical observations of current building security controls and\n        operations;\n    \xef\x82\xb7   Reviewed NCUA policies and procedures related to building security;\n    \xef\x82\xb7   Reviewed a recently-completed risk assessment report prepared by a private\n        contractor for DPFM;\n    \xef\x82\xb7   Reviewed NCUA\xe2\x80\x98s self assessed risk level;\n    \xef\x82\xb7   Benchmarked with five Federal agencies5 to determine the extent of physical\n        access security measures in place; and\n    \xef\x82\xb7   Obtained and reviewed DHS\xe2\x80\x98 security facility risk assessment standards for\n        comparison with NCUA\xe2\x80\x98s facility risk assessment and overall adherence to\n        the standards.\n\nWe conducted this review from December 2010 through June 2011 in accordance\nwith generally accepted government auditing standards, and included such tests of\ninternal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the review to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our review objective. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our review objectives.\n\n\n\n\n5\n  The five benchmarked agencies are the Federal Deposit Insurance Corporation (FDIC), the Board of Governors\nof the Federal Reserve System (Federal Reserve), Securities and Exchange Commission (SEC), Farm Credit\nAdministration (FCA), and the Small Business Administration (SBA). (Note: The SBA was chosen because of\nsimilarities with their parking garage. Both SBA and NCUA allow the public to park in their garages.)\n\n\n\n                                                                            For Official Use Only         6\n\x0c\x0c\x0c\x0c\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\noccupied the Facility Manager position since 1989 and gained significant on-the-job\nexperience since then, this individual had no previous experience or specialized\nformal training in security, safety, and emergency management. Nevertheless,\nresponsibility for facilities and physical management is a critical element of the DO\xe2\x80\x98s\njob description.\n\nThe DO is supervised by the DPFM Director. While the Director, DPFM, likewise\nhas had no specialized formal training in facility physical security, this individual\xe2\x80\x98s\nbackground includes 35 years of significant experience in physical security.\nHowever, even though the DPFM Director has overall responsibility for the\nmanagement of facility security at NCUA, none of the position\xe2\x80\x98s duties mentions\nsecurity or safety responsibilities.\n\n\n\n\nAlthough NCUA technically meets the requirement of the ISC standard because the\nagency has identified a DO responsible for the safety and security of the facility and\nits occupants, we believe the position should be staffed by an expert in the field of\nsecurity. We found that all of our benchmarking partners have DO\xe2\x80\x98s at the office or\ndivision director level with responsibility for overseeing every aspect of facility\nsecurity. These DO\xe2\x80\x98s have specialized security backgrounds and qualify as experts\nin the field of security. We believe the duties and responsibilities of the DO position\nat NCUA should be removed from the existing Facility Manager position and a\nseparate position should be created. The new position should require that the\nincumbent be qualified as a bona fide security expert in the field.\n\nIn addition, we also determined NCUA does not have an official facility security\ncommittee (FSC) to address facility-specific security and safety issues, as ISC\nrecommends. The role of such a committee is to bring forth all security-related\nproposals for countermeasures before NCUA management for approval/non-\napproval and implementation, as necessary. Lacking an FSC, we believe, exposes\nthe facility, its occupants, and the mission of the agency to risks\n\n\n\n\n                                                               For Official Use Only      11\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\nRecommendations\n\nWe recommend NCUA management:\n\n    1. Revise the current Facility Manager (CU-1640-13) Position Description by\n       removing all references to physical security related functions of the position.\n\nManagement Response\n\nManagement agreed with the OIG\xe2\x80\x98s recommendation to remove references to\nphysical security-related functions from the position description of the Facility\nManager.\n\nOIG Comment\n\nThe OIG concurs with management\xe2\x80\x98s planned action.\n\nWe recommend NCUA management:\n\n    2. Create and staff one permanent full-time position to serve as the NCUA\xe2\x80\x98s\n       Designated Official and/or federal security manager. The incumbent should\n       possess physical security expertise, and will be responsible for all security\n       related matters. Such duties and responsibilities should include (but not be\n       limited to):\n\n             a. Assessing facility security levels in accordance with ISC standards at\n                all NCUA owned or leased facilities;\n             b. Assessing building security vulnerabilities at all NCUA owned or leased\n                facilities;\n             c. Recommending building security measures to address facility security\n                levels, vulnerabilities, and cost/benefit analysis;\n             d. Overseeing all aspects of NCUA physical security operations;\n             e. Overseeing all aspects of personnel security\n             f. Overseeing all NCUA employee safety related functions;\n             g. Involvement with all agency Continuity of Operations (COOP) efforts;\n             h. Serving on the Facility Security Committee outlined in\n                Recommendation 3, below.\n\n\n\n\n                                                             For Official Use Only   12\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\nManagement Response\n\nManagement agreed with the OIG\xe2\x80\x98s recommendation to create and staff one\npermanent full-time position to serve as NCUA\xe2\x80\x98s Designated Official and/or federal\nsecurity manager. However, with respect to 2.e. (above), management believes that\npersonnel security duties should remain in the Office of Human Resources.\n\nOIG Comment\n\nThe OIG concurs with management\xe2\x80\x98s planned action to create and staff one\npermanent full-time position to serve as the NCUA\xe2\x80\x98s Designated Official and/or\nfederal security manager. However, the OIG does not agree with management\xe2\x80\x98s\nplanned action to retain the duties of personnel security within the Office of Human\nResources. The OIG believes a more efficient and effective solution would be to\ninclude all building and personnel security duties under the newly created\nDesignated Official position. The OIG believes this would not only consolidate all\nsecurity-related matters, but also ensure that the Designated Official is aware that\nanyone granted unfettered access to the building has been properly cleared.\n\nWe recommend NCUA management:\n\n    3. Create a Facility Security Committee in accordance with all applicable ISC\n       standards responsible for addressing facility-related security and safety\n       issues and presenting all security measures and practices to NCUA\n       management for approval/non-approval and implementation, as necessary.\n\nManagement Response\n\nManagement does not agree with the establishment of a Facility Security\nCommittee. Management believes security improvements should be raised to\nexecutive management through the existing budget approval process.\n\nOIG Comment\n\nThe OIG defers to management\xe2\x80\x98s decision to consider security improvements\nthrough the annual budget request for consideration by the Office of the Executive\nDirector and ultimately, the NCUA Board.\n\n\n\n\n                                                            For Official Use Only    13\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\n                                                    For Official Use Only   14\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\nFacility Entrance Security\n\n\n\n\n12\n\n\n13\n\n\n\n\n                                                    For Official Use Only   15\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\n15\n\n\n17\n\nt\n\n\n                                                    For Official Use Only   16\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\n18\n\n\n\n\n                                                    For Official Use Only   17\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\n                                                    For Official Use Only   18\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\nSecurity Systems\n\n\n\n\n                                                    For Official Use Only   19\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\n                                                    For Official Use Only   20\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\nSite and Interior Security\n\n\n\n\n                                                    For Official Use Only   21\n\x0c\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\nstatus of building security at NCUA, we believe the three recommendations set forth\non page 12 of this report are reasonable and well grounded.\n\n\n\n           Therefore, by leaving these decisions with the DO, we believe this\nindividual would assist the agency in making those decisions that work best for the\nlevel of protection and the level of risk NCUA management is willing to accept to\nkeep the facility and its occupants safe.\n\n\n\n\n                                                           For Official Use Only   23\n\x0cFacility Security Review at NCUA\xe2\x80\x98s Central Office\nOIG-11-06\n\n\n\n\n                                                    For Official Use Only   24\n\x0cAppendix B: Management Response\n\n\n\n\n                                  For Official Use Only   25\n\x0c\x0c\x0c\x0c\x0c\x0c\x0c'